Clickjacking: Attacks and Defenses
Lin-Shung Huang1, Alex Moshchuk2, Helen Wang2, Stuart Schechter2, and Collin Jackson1
1Carnegie Mellon University 2Microsoft Research Example: Likejacking
attacker.com
Claim your FREE iPad
attacker.com
The user is tricked to click on something he didn’t intend to click on
2 Outline
• Defining clickjacking • Existing defenses are insufficient – We evade them with three new attack variants – Our user study on Amazon Mechanical Turk shows that people fall for these attacks • New defense to address root causes – Our user study demonstrates its effectiveness
3 Defining clickjacking • Prerequisite: multiple mutually distrusting applications sharing the same display • An attack application compromises context integrity of another application’s UI when the user acts on the UI
Visual integrity Context integrity consists of Target is visible visual integrity + temporal integrity Pointer is visible
1. Target checked 2. Initiate click 3. Target clicked
Temporal integrity Target = Target clicked checked 4 Pointerclicked = Pointerchecked Compromise visual integrity – target
• Hiding the target • Partial overlays $ 0
$ 0
Click
5 Compromise visual integrity – pointer
• Manipulating cursor feedback
Claim your FREE iPad
6 Compromise temporal integrity
• Bait-and-switch
Claim your FREE iPad
7 EXISTING DEFENSES
8 Existing defenses to protect visual integrity • User confirmation – degrades user experience • UI randomization – unreliable (e.g. multi-click attacks) • Framebusting (X-Frame-Options) – incompatible with embedding 3rd-party objects • Opaque overlay policy (Gazelle browser) – breaks legitimate sites • Visibility detection on click (NoScript)
– false positives 9 Protecting temporal integrity
• Imposing a delay after displaying UI – annoying to user
None of current defenses consider pointer 10 NEW ATTACK VARIANTS
1. Accessing user’s webcam 2. Stealing user’s email 3. Revealing user’s identity
11 Evaluating attacks
• 2064 Amazon Mechanical Turk web users – 25 cents per user – Users can only participate once, and only for one treatment
12 Attack #1: Accessing User’s Webcam
Fake cursor
Real cursor
Attack technique: cursor-spoofing Attack success: 43% (31/72) 13 Attack #2: Stealing User’s Emails
Attack technique: pop-up window Attack success: 47% (43/90) 14 Attack #3: Revealing User’s Identity • Whack-a-mole game
Attack technique: cursor-spoofing + fast-paced clicking
Attack success: 98% (83/84) 15 InContext Defense
16 Design Goals
• Should support embedding 3rd-party objects • Should not prompt users for their actions • Should not break existing sites • Should be resilient to new attack vectors
17 InContext Defense
• A set of techniques to ensure context integrity for user actions • Server opt-in approach – Let websites indicate their sensitive UIs – Let browsers enforce context integrity when users act on the sensitive UIs
attacker.com
18 Ensuring visual integrity of target
• Dynamic OS-level screenshot comparison – processing delay on click < 30ms (prototype on IE 9)
What is displayed What should be seen (OS screenshot) (Reference bitmap)
19 Ensuring visual integrity of pointer • Remove cursor customization – Attack success: 43% -> 16%
20 Ensuring visual integrity of pointer • Freeze screen around target on pointer entry – Attack success: 43% -> 15% – Attack success (margin=10px): 12% – Attack success (margin=20px): 4% (baseline:5%)
Margin=10pxMargin=20px
21 Ensuring visual integrity of pointer • Lightbox effect around target on pointer entry – Attack success (Freezing + lightbox): 2%
22 Enforcing temporal integrity
User checks target
Enforce User clicks target temporal integrity System delivers click to target app
• UI delay: after visual changes on target or pointer, invalidate clicks for X ms • Pointer re-entry: after visual changes on target,
invalidate clicks until pointer re-enters target 23 Enforcing temporal integrity • UI delay: after visual changes on target or pointer, invalidate clicks for X ms – Attack success (delay=250ms): 47% -> 2% (2/91) – Attack success (delay=500ms): 1% (1/89)
24 Enforcing temporal integrity • Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target – Attack success: 0% (0/88)
25 Whack-a-mole attack
• Exclude victims who were moving their pointer around the Like button for many seconds, and deliberating whether or not to click • Defense against clickjacking aspects – Screen freezing, margin=20px: 98% -> 16% – Screen freezing, margin=20px, pointer entry delay=500ms: 4% – Screen freezing, margin=20px, pointer entry delay=1000ms: 1% • Social eng. aspects – 63% users intentionally clicked on Like button after our defenses made them fully aware of this
26 Conclusion
• We demonstrated new clickjacking variants that can evade current defenses
• Our user studies show that our attacks are highly effective (success rates 43% to 98%)
• Our InContext defense can be very effective against clickjacking – Ongoing efforts: UI Safety W3C proposal
27 QUESTIONS? [email protected]
28